Following a successful internal rollout, New York City’s cybersecurity agency wants to pursue the citywide adoption of a zero-trust security architecture across a government with more than 100 agencies and more than 325,000 employees.
New York City Cyber Command last week published a request for information seeking input from potential vendors who may eventually help the city move its vast computer systems to a zero-trust model, in which security is implemented at every layer of a network, instead at just the perimeter, and every endpoint is treated as potentially hostile. The approach is also designed to limit users’ access only to materials relevant to their roles.
The RFI seeks input on a variety of security components, including multi-factor authentication, endpoint monitoring, encryption protocols and identity management across a large, federated government organization that operates across multiple public and private cloud environments.
Colin Ahern, a deputy citywide chief information security officer, told StateScoop that NYC3 had adopted zero trust architecture before the pandemic hit, but that it was particularly handy March 12, when Mayor Bill de Blasio ordered nearly all city personnel to work from home. After the order was given, all NYC3’s employees had to do was take their laptops home and plug in physical tokens — like a YubiKey — to get back to work.
“Within a day, we pivoted more than 100 cybersecurity professionals to remote and not making a configuration change,” Ahern said. But, he said, doing the same for all of New York City government will be “a horse of an entirely different color.”
Still, he said, the appeal of zero-trust architecture has grown thanks to the remote-work boom and New York’s growing digital footprint, which manages operations ranging from traffic-light timing at more than 12,000 intersection to treating 1.3 billion gallons of wastewater daily, to say nothing of newer functions like its response to the COVID-19 crisis.
“Let’s take a user on their city-issued laptop,” he said. “What do I know about this device? Do they have permissions, how are they authenticated? It is not using that [authentication] just for remote access. It’s using that for the business of the agency.”
‘Simple but strategic’
Ahern also said the RFI was motivated by two more recent developments. One was the August publication of a zero-trust guidance by the National Institute of Standards and Technology, whose cybersecurity framework is considered a “gold standard.” The second was an article in Foreign Affairs co-authored by Army Gen. Paul Nakasone, the commanding officer of U.S. Cyber Command, endorsing the approach.
“The goal is simple but strategic,” Nakasone and Cyber Command senior adviser Michael Sulmeyer wrote in the article. “We aim to prevent toeholds from turning into beachheads so that a single compromise will not threaten the military’s ability to accomplish its mission.”
Ahern conceded bringing zero-trust to scale in a large, disparate civilian environment like New York City will be a different task.
“The city’s environment is very complex and very federated,” he said. “One of the principal challenges is managing that complexity. Those political systems, those technical systems have developed over time. But we have to respect the environment going forward.”
He also said that zero-trust implementation will be a multi-year process that will continue well after de Blasio, whose term expires at the end of 2021, leaves office. The RFI, Ahern said, is just the first step, and not a procurement action.
“It’s an information-gathering exercise,” he said. “We want an outcome where we’re the most cyber resilient city in the world. Our thesis is that this will be important for the city’s journey.”
Responses to the RFI are due by the end of January, after which NYC3 may move into actual procurement.
“We want more people talking about this architecture because cybersecurity’s a team sport,” Ahern said. “We’re starting to see standards, and we think that should continue and New York City can play a part in that. Our first concern is providing services to residents and businesses. If we can fulfill that while being part of the future of cyber resilience, that’s an opportunity we want to take.”